I have an elastic beanstalk running with the default instance profile aws-elasticbeanstalk-ec2-role. The application uses private SSH keys to access external resources during installation, which means I am using an .ebextensions config file to copy stuff from S3.
However, for various reasons I need to change the instance profile, but I have found this surprisingly difficult, probably because my code has dependencies to the instance profile, and it seems like a configuration change through the AWS web console is only successful if the application is successfully deployed when the configuration change launches the new instance (changing instance profile results in a new instance being launched, then the old one is terminated).
I think the key issue is that my .ebextensions file references the instance profile (aws-elasticbeanstalk-ec2-role):
S3Auth:
buckets:
- <my-bucket>
roleName:
? "Fn::GetOptionSetting"
:
DefaultValue: aws-elasticbeanstalk-ec2-role
Namespace: "aws:asg:launchconfiguration"
OptionName: IamInstanceProfile
type: s3
If I change instance profile through the console, a new instance is launched and my application is deployed, which will fail, hence the config change is reverted.
If I first change my .ebextensions to use the new role, deploying that will fail since the referenced instance profile does not match what the EB currently has. And even if deploying first (which will of course fail) and then changing the configuration, it seems like the newly deployed (failed) version will not be used but instead EB will probably fall back to the previous version - so this seems like a catch 22 scenario.
The solutions I have found are
- Create a new environment from scratch and specify instance profile from the start, using
$ eb create -ip <instance profile>
This works, but it may be highly undesirable having to terminate existing environments to release CNAMEs etc, to enable re-creating environments from scratch.
- Deploy a dummy Hello World application without dependencies to the instance profile, then change instance profile in the web console, then deploy the real application making use of the new instance profile.
Now, my questions.
Since it seems like the problem is that the instance profile change and the application change need to be done atomically, is there a way to change the instance profile as part of an
eb deploycommand, e.g. by specifying the instance profile through.elasticbeanstalk/config.yml?Is there a way to create an
.ebextensionsconfig file with a S3 auth rule that doesn't directly reference the instance profile to use (which has to match what the EB has anyway!!), but rather "use the current instance profile"? It seems a bit redundant that.ebextensionsfiles must state what instance profile to authenticate with, when the only one that will ever be usable is the one that the EB actually holds?Any other way around this problem?
